← Back to Library

What it’s like being the only security company in your yc batch

Ross Haleliuk · Venture in Security · ·14 min read
Commentary by Hex Index staff

This piece cuts through the startup mythology that treats every accelerator cohort as a monolith, revealing a stark reality: for security founders, the standard "move fast and break things" playbook is not just unhelpful—it's actively hostile. Ross Haleliuk, writing from Venture in Security, dissects the friction between Y Combinator's twelve-week sprint and the glacial pace of enterprise trust-building, using his friend Alex Chantavy's journey as a case study that exposes why most security startups fail to find product-market fit within an accelerator's timeline.

The Collision of Playbooks

Haleliuk frames the central tension immediately: "Our main takeaways are that a YC batch is built to help you raise your seed round as fast as possible, and that the YC playbook and the security startup playbook pull in almost opposite directions." This observation is crucial because it challenges the assumption that an accelerator's universal advice applies equally across verticals. While other founders might benefit from launching "crappy" products to gather feedback, Haleliuk notes that for security, "Design partners don't have any skin in the game because they're not paying you, so their feedback may be well intentioned but it's not aligned with what you need."

What it’s like being the only security company in your yc batch

The author argues that the pressure to demonstrate immediate traction forces security founders into a paradox. They are told to sell immediately, yet enterprise buyers require months of due diligence before signing. Haleliuk describes the emotional toll of this mismatch: "When we quoted them full enterprise prices, they balked and seemed insulted and we were laughed out of several (Zoom) boardrooms." This anecdote highlights a critical gap in standard accelerator mentorship; partners often lack the context to understand that a security buyer's hesitation is not a rejection of the product, but a necessary function of risk management.

Security is all about credibility, and YC's brand did help us get in the room with many companies. But the 12-week clock is genuinely hostile to security sales cycles.

The narrative gains depth by referencing the founders' background with Cartography, an open-source tool they had nurtured for years before joining the program. This prior community trust was their "unfair advantage," allowing them to secure a six-figure contract when others were stuck in pilot limbo. It is worth noting that this mirrors the trajectory of companies like Wiz, which leveraged existing cloud expertise and relationships rather than waiting for a generic accelerator curriculum to generate leads. Haleliuk admits that without this pre-existing trust, "we would not have been able to tell them that dad is quitting his job to start a company completely bootstrapped without funding."

Critics might argue that relying on prior open-source success creates an unrealistic benchmark for first-time founders who lack such a community. However, Haleliuk's point remains valid: in security, the sales cycle is dictated by the buyer's risk tolerance, not the founder's speed of iteration.

The "Hell Week" Reality Check

The most visceral part of the coverage details the final stretch before Demo Day, where the pressure to close a deal becomes existential. Haleliuk recounts how Gustaf, a YC partner, shifted from supportive mentor to stern reality-checker: "I need to be clear with you. If this deal does not close, your fundraise is at risk." This moment underscores the high-stakes nature of accelerator programs where the brand's reputation is tied to the cohort's success metrics.

The author describes a grueling schedule of investor calls, noting that "back-to-back 30 minute calls" left him skipping lunch and struggling with storytelling. The breakthrough came only when the contract finally landed at 12:05 am on Wednesday, just hours before the next round of pitches. Haleliuk reflects on this pivot: "Many of the investors don't know much about cybersecurity, but they know what six figures in 12 weeks means." This reveals a harsh truth about venture capital: narrative often requires a hard number to anchor it, regardless of how well the underlying technology works.

It changes the demeanor of everything. I had to take the calls at home one day and my wife in the other room told me at one point "I gotta get out the house, at this point I think I can give your pitch better than you".

The emotional toll of this process is palpable as Haleliuk describes moving from an engineer's mindset—focused on "what" and "how"—to a founder's focus on "why would anyone care." He admits that the job is not glamorous: "A lot of the job is taking incremental, seemingly mediocre steps... hearing 'no' (or getting ghosted) over and over, and doing mundane things like setting meeting invites." This serves as a necessary counter-narrative to the "overnight success" stories often promoted in tech media.

The Verdict on Accelerators for Security

Haleliuk concludes that while Y Combinator was the right vehicle for SubImage, it was not because of its curriculum, but despite its constraints. He writes, "For us, it absolutely was... if you walk in with an existing source of trust and accept that most of the job is reconciling the two playbooks and how they land with your prospects." The author's advice to aspiring founders is blunt: "It's f*ing hard. Startups are hard enough on their own, and security makes everything worse."

The piece effectively argues that the standard accelerator model assumes a self-serve or low-friction sales motion, which rarely exists in enterprise security. Haleliuk suggests that the only way to survive is volume: "Have many, many conversations because volume is the only way to advance your company." This pragmatic approach prioritizes resilience over the idealized path of rapid scaling.

Startups are hard enough on their own, and security makes everything worse: you need to do enterprise sales from a position when you're likely not ready at all. You need every unfair advantage you can get.

Bottom Line

Ross Haleliuk delivers a necessary corrective to the startup gospel by exposing how the "move fast" ethos fails in high-stakes, trust-based industries like cybersecurity. The piece's greatest strength is its honest admission that success often depends on pre-existing relationships rather than accelerator magic, while its vulnerability lies in potentially discouraging founders who lack those initial unfair advantages but possess genuine innovation.

Deep Dives

Explore these related deep dives:

  • The Trusted Advisor Amazon · Better World Books by David H. Maister

  • Wiz, Inc.

    The article positions SubImage as an open-core alternative to this specific cloud security unicorn, making the competitor's business model essential for understanding the market gap the founders are targeting.

  • Cartography

    This open-source tool is the foundational product that drove the co-founders' partnership and community credibility before they pivoted to a commercial venture, illustrating how open source often seeds security startups.

  • Y Combinator

    While the accelerator is famous, this article specifically details the friction between its standard 'scale fast' playbook and the long sales cycles inherent in enterprise security, a nuance critical to the author's argument about batch dynamics.

Sources

What it’s like being the only security company in your yc batch

by Ross Haleliuk · Venture in Security · Read full article

This is a guest post from a friend, Alex Chantavy, who is the co-founder & CEO of SubImage. Alex went through Y Combinator, and I have been asking him (or, as he rightfully calls it, nagging him) to share his story. Many people are familiar with the story of Vanta, which also participated in YC, but Vanta is unique because it actually sells to startups, so Y Combinator was also a great distribution channel for them. Most security companies don’t get to sell to other startups, so their YC experience is going to be very different.

We’ve spoken about this at BSides before and have been nagged (thanks Ross) to put it into written form, so here it is.

Kunaal and I got into Y Combinator in January of 2025 to create SubImage, and these first 17 months of the journey have been crazy. This is our story as a YC-backed security company, showing what worked for us and what we’d do differently knowing what we know now. If you work in information security and have ever dreamed about quitting your corporate job to become an entrepreneur, this post is for you.

Our main takeaways are that a YC batch is built to help you raise your seed round as fast as possible, and that the YC playbook and the security startup playbook pull in almost opposite directions. It can work, but most of the job is reconciling the two.

A little bit about us.

I’ve worked in infosec for over 15 years (By YC standards, I’m very old). I started my career at the NSA, eventually moving to Microsoft on the Azure Red Team, and then Lyft’s security team, where I met Kunaal and open sourced a tool called Cartography that grew a real community with dozens of companies using it. Kunaal left Lyft at some point to join a little startup called Anthropic.

I knew I wanted to keep working on Cartography, and Matt Klein, creator of Envoy, gave me the advice that my options were to stay at Lyft, go somewhere else that used it, or build my own company. Kunaal was my first and only pick for a cofounder because I knew what it was like to build something huge with him (Lyft’s vuln mgmt program).

A little bit about the company.

This explanation took us a very long time to come to, and it still ...